CDT released a report yesterday examining how federal government agencies can acquire important usage data from users of their websites while still respecting privacy rights.  In conjunction with the release of that report, CDT hosted a panel of privacy policy experts in a moderated discussion of the report’s findings.  The panel fielded questions from in-person attendees as well as those following the event via our live Twitter feed and UStream.tv channel.

One of the stated goals in the report was “to stimulate public comment and debate” on these issues and solicit feedback on the recommendations from both the public and private sector.  What better way to stimulate discussion in a Web 2.0 world than through live Twitter feeds and Web streams, where users can submit questions and comments.  The Twitter feed discussion (under the hashtag #govmeas) and live Web stream allowed us to engage new audiences and solicit feedback in the discussion about privacy rights in a Gov 2.0 world.  If you were unable to view the discussion live, the feed can be read in its entirety by searching the hashtag on Twitter.

Here’s a sample of the comments and questions posed to the panel via Twitter :

“Learning alot about gov. & privacy via chat #govmeas Thanks to @CenDemTech.” -@tracysherman
“Would web measurement be the same for all agencies? would DHS and EPA would track the same way? #govmeas.” -@DCBadger
“Explain the importance of analytics, and why a greater emphasis on it over changes to the overall system #p2 #govmeas #gov20.” -@timryan
“Would be interested if privacy issues in #gov20 collaboration are discussed-Both Govt. worker privacy and authenticated citizens.” -@noeldickover
“So will OMB policy shift? from no persistent cookys 2 persist. cookys w/user acceptance?” -@joyrenee

Even the panelists and moderators got involved:

“Moderating at @CenDemTech, @EFF, at 3 PM. Submit questions, follow #govmeas, watch it live http://bit.ly/v5sKz” -@GregElin
“‘Analytics allow user experience to be optimized by analyzes how site is used’- A.Cooper #govmeas.” -@emd5005

If this feedback is any indication, it is clear that the report will continue to raise discussion and awareness concerning Web measurement and privacy rights as more of these technologies are implemented in the new open government space.

The Cybersecurity Act of 2009, S. 773, introduced by Senators Rockefeller (D-WV) and Snowe (R-ME), has kicked off what promises to be an intense debate over the federal government’s cybersecurity policy.  There’s broad consensus about the goal – better security for both governmental and private sector critical infrastructure information systems – but not much agreement about how to achieve it.

The Rockefeller/Snowe bill includes some especially troubling provisions.  For starters, it would give the President the authority to limit or shut down Internet traffic to federal government and private critical infrastructure systems.  It would give the Secretary of Commerce the power to override any law, regulation, or policy – including privacy laws and laws protecting trade secrets – to obtain access to information held by private parties that might be relevant to cybersecurity threats and vulnerabilities.  Broadly read, the provision would authorize the Secretary of Commerce to override the Wiretap Act and the Electronic Communications Privacy Act to gain access to communications content. Finally, it includes provisions that would allow the government to dictate software design standards for the private sector.

CDT has prepared a detailed analysis of the Rockefeller-Snowe bill here.

Fortunately, the Rockefeller/Snowe bill isn’t the only game in town.

Senator Carper’s (D-DE) U.S. Information and Communications Enhancement (ICE) Act (S. 921) takes an entirely different, and much more appropriate, approach.  It focuses primarily on strengthening the security of governmental information systems by amending the Federal Information Security Management Act.  In contrast, many provisions of the Rockefeller-Snowe bill would apply the same measures and authorities without distinction to both private and public systems.

(more…)

In what has come to be a bit of a tradition, Senator Lieberman has
introduced a resolution in the Senate to put non-confidential Congressional Research Service (CRS) reports online. A good bi-partisan group including Senators McCain (R-AZ), Leahy (D-VT), Feingold (D-WI), Harkin (D-IA), Collins (R-ME), and Lugar (R-IN) have co-sponsored the resolution, and we commend each of them; in particular, Senators McCain and Leahy have long histories of trying to free CRS reports. Since this is a Senate resolution, it would only have to be approved by the Senate Rules Committee and the Senate at large- and once passed, the public would have access to CRS reports through Senators’ Websites.

CRS, housed in the Library of Congress, uses taxpayer dollars to produce reports on public policy issues ranging from foreign affairs to agriculture to health care. CRS reports represent some of the best policy research conducted by the federal government. All of the reports are posted online, but access is available only to Congressional offices through an intranet system. Citizens can ask for copies of the reports through their Member of Congress, only if they already know that the report exists. Moreover, the general public cannot search through past reports, and a comprehensive index of the reports is not available online, so citizens basically have to guess when they ask for relevant reports.
(more…)

Last week, during a keynote speech to the National Health Information Network Forum here D.C., Health and Human Services (HHS) Secretary Leavitt announced key privacy principles for electronic health information exchange, called The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. Leavitt hopes these principles will guide the actions of all health care related entities that participate in networks that electronically exchange patient health information. The principles in the new Privacy and Security Framework include: Individual Access; Correction; Openness and Transparency; Individual Choice; Collection, Use, and Disclosure Limitation; Data Quality and Integrity; Safeguards; and Accountability.

In tandem, HHS’s Office of Civil Rights also published new HIPAA Privacy Rule Guidance as part of a “toolkit� to implement the new framework of principles. The guidance provides some important clarifying information on how the Privacy Rule governs covered entities involved in electronic health information exchange. For example, the guidance clarifies that covered entities must enter into business associate agreements with HIEs and RHIOs when these entities are exchanging information on behalf of a covered entity (e.g. exchanging data for treatment purposes). The guidance also clarifies that personal health records offered to consumers by covered entities are covered by the HIPAA Privacy and Security Rules. However, the guidance merely encourages covered entities to adopt stronger privacy and security policies for electronic personal health information consistent with the principles in the new framework.
(more…)

A recent exchange of letters between the McCain campaign and YouTube offers a clear illustration of the importance of fair use in protecting free expression — but also of the risk that the practical utility of fair use can be subverted by other copyright policies.

When CDT and others say that copyright policy raises free expression issues and requires a careful balance, this situation between the McCain camp and YouTube is the kind of thing we have in mind.

Apparently the McCain campaign has posted videos to YouTube that use short clips — some shorter than 10 seconds — of news broadcast footage as a basis for commentary and advocacy. That sure sounds like a classic example of fair use, meaning it should be permitted under copyright law. But the media companies that own the broadcast footage have gone ahead and sent takedown notices alleging copyright infringement, resulting in YouTube blocking access to the videos. The McCain campaign has written to YouTube asking it to review takedown notices aimed at videos posted by political campaigns and candidates and to reject notices that ignore obvious cases of fair use.
(more…)

War, financial crisis and the fate of a nation hanging in the balance. It sounds like a back-of-the-envelope outline for a spy novel, but it’s actually the current political climate in the U.S. Given that, it’s no surprise that discussion of Internet and technology issues is adrift, and that civil liberties protection has been pushed to the margins during this intense political season.

And yet this election cycle provides a great window of opportunity. The President and Congress will have a chance to take a fresh look at the challenges and opportunities of the Internet and set a policy course for this vital medium that will keep it open, innovative and free.

We often take the Internet for granted. In a short time it has become a powerful engine for innovation, economic growth and democratization. The Internet has changed the way we “do” politics. Ordinary Americans are making their voices heard and organizing online. Political candidates are building online networks of supporters, raising unprecedented funds from small donors, and educating the public on their policies and visions.

A few months ago CDT started a dialogue on what we believe are the key issues impacting the digital work-a-day world where most of us are spending an increasing amount of time. The ideas and feedback flowing from that discussion will help us craft a kind of blueprint for technology policy for use by the new Administration, noting things that can be done right now while also providing a strategy for achieving longer term goals.

Starting this week and following through until the election, CDT will focus on specific issue areas and write about each of them here on our Policy Beta blog. Our President, Leslie Harris, will add another level of insight and commentary on the issue in a companion article published in her Huffington Post column. And for those that want a daily dose of policy prognostication —in 140 characters or less—you can follow our efforts via Twitter.

We encourage you to push these blog postings out to your friends, family, forums and social networks. We welcome comments, criticisms and suggestions, all of which will help us sharpen our message and hone our suggestions for the next Administration and Congress.

Last week I had the privilege to attend the 72nd meeting of the Internet Engineering Task Force (IETF), the Internet’s longest-established technical standardization body. CDT has long been engaged in the work of the IETF and other standards bodies, with an eye towards both increasing public interest input into standards processes and fostering understanding among Internet technologists, policymakers and advocates.

The IETF describes itself as a “large open international community of network designers, operators, vendors, and researchers.� It has no membership. Anyone who wants to attend a meeting or submit a proposal for a new protocol or standard is welcome to do so. The organization is comprised purely of volunteers.
(more…)

Should search engines retain a record of search queries? What benefits or harms flow from retaining that data? Should academic researchers be able to get access to “query logâ€? data from search companies? What kinds of research can be done with this data? And — critically — what about the privacy of the search engine users?

All of these questions were debated and discussed in a workshop yesterday at the WWW 2007 conference entitled “Query Log Analysis: Social and Technological Challenges.” WWW is the leading annual academic conference focused on the Web and the Internet. This year the conference is in Banff in the Canadian Rockies (making staying indoors for the sessions quite a challenge).

The Query Log workshop addressed a fascinating set of issues, the foremost of which is the significant privacy risk raised by the retention (or distribution) of logs of search terms on sites such as Google, MSN, Yahoo, Ask etc. As the WWW event is an academic conference, there was much attention to the plight of researchers outside of the search companies. Researchers are frustrated that they have little or no access to actual data – the actual queries entered into search engines.

The companies are hesitant to disclose search data, both out of concern about compromising trade secrets about how they execute and track searches, but also because the backlash about the incident in August 2006 in which AOL released millions of search terms from about 650,000 users. Although AOL replaced user IDs with pseudonyms, it was relatively easy to identify some individual people from their search terms. There was, appropriately, a huge uproar about the harm to privacy, and AOL quickly took the data down.

Although the release of the data was clearly a mistake, AOL’s intentions were in fact honorable – AOL was trying to allow academic researchers access to actual search data. And ironically, the AOL data release did allow researchers to analyze core issues about privacy. In that data, for example, were social security and credit card numbers (raising privacy concerns by themselves), and researchers were able to document how privacy could be breached using the aggregated search of individuals’ searches.
(more…)

The inaugural Internet Governance Forum closed last Thursday in Athens, Greece after 4 days of panel discussions and workshops that attracted over 1,000 government officials, business representatives, and non-governmental organizations from around the world.

I was there, representing CDT and the Global Internet Policy Initiative (GIPI), our joint project with Internews. In two workshops and a plenary session, I highlighted GIPI as a proven model for working locally to reform national laws and policies in order to foster expanded Internet access in developing countries. Everything you need to know about GIPI can be found here.

Also present was GIPI executive director George Sadowsky, who, over the past 12 years, has educated and advised a generation of Internet technologists and policymakers in the developing world. As a special advisor to the Chair of the IGF, Sadowsky had a major role in planning the Forum.

The unstated question at the IGF was “What is Internet governance?” Based on our experience with GIPI, both George and I stressed repeatedly that 90% of Internet governance is local: telecommunications policy (especially enforcement of competition and interconnection), licensing requirements, limits on use of wireless technology, the privacy framework, and management of country-code Internet domains.

Overall, it seems as though the initial misperceptions that equated ICANN with Internet governance have been replaced with a more sophisticated view. Although some speakers continued to express vague complaints about Western dominance of the Internet, many speakers from developing talked about problems at home and what they are doing to create a framework more conducive to Internet growth.

In comments at the closing plenary, I urged participants to follow the adage “Think globally, act locally.” I recommended that each country present should convene at the national level an ongoing multi-stakeholder dialogue — local businesses, government officials, academics and users — to identify specific barriers and specific solutions that can be implemented through national strategies.

The session closed with the announcement that the next IGF will be in Rio de Janeiro, Brazil, November 12-15, 2007.

The IGF Website, with transcripts, is here.

On October 16, the Internet Corporation for Assigned Names and Numbers (ICANN) asked the online public to provide input for how to improve the transparency and accountability of the organization’s operations. This is a very good thing. Unfortunately, the deadline ICANN set for members of the Internet community to submit comments was October 31. This is a major problem.

We applaud ICANN for attempting to address its historic deficiencies in providing adequate transparency and accountability. No issue has been more damaging to ICANN’s credibility in the Internet community. But the artificially constrained timeframe ICANN has laid out for addressing the problem has left many observers to wonder if ICANN understands the scope of the problem or the challenges the organization will face in addressing it.

ICANN’s first notice gave the Internet public two weeks to provide recommendations, and was premised on the assumption that ICANN’s board would enact new policies at the organization’s December meeting in Sao Paulo, Brazil. ICANN later issued a second notice clarifying that it was seeking only “preliminary” responses by October 31, and announcing that the board would now take up the issue in March 2007.

That still seems like an awfully short timeframe to fix what appear to be a systemic problems with ICANN’s policies and institutional culture. In our preliminary comments to ICANN we offer some suggestions for fixing the most glaring instances of opaque and unaccountable practices, but also urge ICANN to step back and commit to devoting the time and resources needed to address these issues in a way that makes the organization truly stronger and more stable.

ICANN has taken a worthy and important step in throwing these issues open for review and improvement. Now it must make sure it follows through on what it started.